Tag Archives: APT

Responding to the Asus Live Update Supply Chain Compromise

Earlier last week the security vendor Kaspersky detailed their initial findings from the compromised supply chain of the Taiwanese hardware vendor Asus.

TL DR: If you own or use any Asus laptop or desktop system, please check if your device is affected using the downloadable tool from Kaspersky (which checks the MAC address (defined) of your network card). If you know how to obtain the MAC address of your network card manually you can use the online tool. This is the link for both tools: https://securelist.com/operation-shadowhammer/89992/

If you are affected, contact Kaspersky, contact Asus or use the anti-malware tools to try attempt removal of the backdoor (defined) yourself.

When did this attack take place and what was affected?
This incident took place from June to November 2018 and was initially thought to have affected approximately 60,000 users. This number was later revised to possibly affecting just over a million users. While primarily users in Asia and Russia were targeted; a graph of victim’s distribution by country shows users within South America, Europe and the US. It was later disclosed that mainly Asus laptops were affected by this incident.

What Asus infrastructure was affected?
An older version of the Asus Live Update utility was compromised by unknown attackers so that it would inject a backdoor within the Asus Live Update utility when it was running. The compromised Asus Live Update utility was signed with an older but still legitimate Asus digital signature. The compromised Asus utility was available for download from two official Asus servers.

What were the attacker’s intentions?
Unfortunately, even after extensive analysis it is unknown why the attackers targeted their chosen victim systems or what their eventual goal was. The backdoor would have likely allowed the attackers to steal files of their choice, remote control the system (if the second stage had been installed) and deploy compromised updates to systems which in the case of a UEFI update may have rendered the system unbootable.

It appears the goal of the attackers was to target approximately 600 systems of interest to them with the initial intention to carry the above-mentioned actions. We know it is approximately 600 systems since upon installation the malware would check if the system had a MAC address of interest; if yes it would install the stage 2 download (which unfortunately Kaspersky was unable to obtain a sample of). The server which hosted the stage 2 download was taken offline in November 2018 before Kaspersky became aware of this attack.

If the system was not of interest, the backdoor would simply stay dormant on the system. It’s unclear how the attackers may choose to leverage this in the future (assuming it remains intact on a system which installed the compromised utility).

Do we know who is responsible?
It is not possible to determine with absolute certainty who these attackers were but it is believed it is the same perpetrators as that of the ShadowPad incident of 2017. Microsoft identifies this advanced persistent threat (APT) (defined) group with the designation of BARIUM (who previously made use of the Winnti backdoor).

How have Asus responded to this threat?
Initially when Kaspersky contacted Asus on the 31st of January 2019 Asus denied their servers were compromised. Separately a Kaspersky employee met with Asus in person on the 14th of February 2019. However, Asus remained largely until earlier this week.

On the 26th of March Asus published a notice which contains an FAQ. They issued an updated version (3.6.8) of the Asus Live Update utility. Additionally, they have “introduced multiple security verification mechanisms to prevent any malicious manipulation in the form of software updates or other means, and implemented an enhanced end-to-end encryption mechanism. At the same time, we have also updated and strengthened our server-to-end-user software architecture to prevent similar attacks from happening in the future”.

They have also made available a utility to check if your system was affected. It is downloadable from the above linked to notice.

How can I remove the backdoor from my system if I installed the compromised Asus utility?
While Asus in their announcement recommends a full backup and full reset of your system; for some that may not be a preferred choice. If you use Kaspersky security suite it will very likely easily remove it since they were the first to detect it.

Please which ever approach is more convenient for you.

If you want to leave your system as it is:
I would first recommend a scan of your system with your current anti-malware product. I would then recommend using free anti-malware scanners such as RogueKiller, AdwCleaner and PowerEraser since they use cloud based forensic analysis and compare known safe files on your system with VirusTotal to check if any file has been tampered with or is new/suspicious. It is very unlikely the backdoor could hide from all of these utilities. Yes, this is overkill but will ensure a thorough check.

A link to full original story of this malware is available here.

You use an Asus system; how were you affected?
Since my high-end Core i9 7980 Extreme desktop uses an Asus desktop motherboard (ROG Rampage VI Apex); I ran the Asus utility to check my system; It displayed the message “Only for Asus systems” before closing. I’ll make an educated guess and assume that since the threat mainly affects laptops running this tool on a desktop system resulted in this message.

The offline and online tools from Kaspersky showed no issues with my system. I wasn’t surprised since I don’t use the Asus Live Update utility. Their drivers are available manually from their website and that’s how I stay updated.

I upload every downloaded file for my system to VirusTotal, verify the checksums and digital signatures, use two reputation based scanners on new downloads and have application whitelisting enabled. In summary; my system will be more difficult to compromise.

Thank you.

December 2018 Update Summary

Update: 3rd January 2019
Apologies for the delay.

Microsoft made available an out of band (un-scheduled) security update available for Internet Explorer on the 19th of December. This vulnerability is being actively exploited; thus if you have not already done, please update your Windows systems. All supported Windows Server and consumer versions of Windows are affected. The full table of affected Windows versions is available here from Microsoft.

For Lenovo laptops running Windows 10 Version 1607 with less than 8 GB of system memory (RAM); Microsoft has provided the following workarounds since this new security update inadvertently causes these systems to be unbootable:

Restart the affected machine using the Unified Extensible Firmware Interface (UEFI). Disable Secure Boot and then restart.

If BitLocker is enabled on your machine, you may have to go through BitLocker recovery after Secure Boot has been disabled.

Microsoft is working with Lenovo and will provide an update in an upcoming release.

Thank you.

Original Post:
Earlier today Microsoft and Adobe made available monthly updates addressing 39 vulnerabilities and 88 vulnerabilities (more formally known as CVEs (defined)) respectively. As always; more information is available from Microsoft’s monthly summary page and Adobe’s blog post.

While Adobe’s update addresses a large number of vulnerabilities; Microsoft’s released updates are fewer in overall vulnerabilities and should be considered light when compared to some months this year. If you use Adobe Flash Player, if you have not already done so; please ensure it is up to date (version They addressed a zero day (defined) vulnerability with that update earlier this month which was in use by an APT group (defined in this context it is an organised group making use of zero day vulnerabilities).

Unfortunately; Microsoft’s updates also come with a list of Known Issues that will be resolved in future updates. They are listed below for your reference:

KB4471318: Windows 7 SP1 and Windows Server 2008 R2 SP1 : Workaround provided

KB4471321 : Windows 10, Version 1607Windows Server 2016 : resolutions are in progress

KB4471324 Windows 10, Version 1803 : resolution in progress

KB4471327 : Windows 10, Version 1703 : resolution in progress

KB4471329 Windows 10, Version 1709 : resolution in progress

As briefly mentioned above Adobe issued updates for Adobe Acrobat and Reader:

Adobe Acrobat and ReaderPriority 2: Resolves 40x Critical CVEs ands 48x Important CVEs

If you use Adobe Acrobat or Reader, please update it as soon as possible especially given the large number of critical vulnerabilities that were patched.

You can monitor the availability of security updates for most your software from the following websites (among others) or use one of the utilities presented on this page:

US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):


A further useful source of update related information is the Calendar of Updates.

News/announcements of updates in the categories of General SoftwareSecurity Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

For this month’s Microsoft updates, I will prioritize the order of installation below:
Microsoft Edge and Internet Explorer (multiple versions of Edge and IE affected)

CVE-2018-8611 : Windows Kernel (defined) (this vulnerability is already being exploited)

Please install the remaining updates at your earliest convenience.

As usual; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues. I have provided further details of updates available for other commonly used applications below.

Please find below summaries of other notable updates released this month.

Thank you.

Mozilla Firefox
Also earlier today Mozilla made available security updates for Firefox and Firefox ESR (Extended Support Release):

Firefox 64: Resolves 2x critical CVEs (defined), 5x high CVEs, 3x moderate CVEs and 1x low CVE

Firefox ESR 60.4: Resolves 1x critical CVE, 4x high CVEs and 1x low CVE.

Further details of the security issues resolved by these updates are available in the links above. Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to resolve these security issues.

Separately; Firefox 64 now includes small pop-ups known as “snippets” which turned out to be an experiment by Mozilla. If you wish to turn them off; the steps are available here.

Meanwhile extension recommendations within Firefox 64 can be disabled using these steps.

Google Chrome:
Google released Google Chrome version 71.0.3578.80 to address 43 vulnerabilities.

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 stacked small horizontal lines, sometimes called a “hamburger” button) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the updates to take effect.

APT28 Group Distributes First in the Wild UEFI Rootkit

Update: 6th February 2019
In mid-January, the IT news website; The Register provided details of an analysis of this threat from the security firm Netscout. They concluded that they believe the malware utilising the UEFI rootkit began as long as 2 years ago:

In addition; the command and control (C2) (defined) infrastructure originating from this threat remains operational but has reduced from 7 servers to 2. The attackers also have further servers and reserved IP addresses ready to use should they need to.

Thank you.

Original Post:
In late September; researchers from the security/anti-malware firm Eset discovered the first UEFI (defined) rootkit (defined) being used in the wild (namely being present on computing devices used by the general public in their professional and personal lives).

The APT group known as APT28 (who we discussed before on this blog) has been named as being responsible for this advanced threat being distributed to victim systems located in the Central Europe, Eastern Europe and the Balkans.

Why should this threat be considered important?
While this threat is so far limited to targeting systems in Central Europe, Eastern Europe and the Balkans; it has the potential to set a precedent to dramatically increase the persistence of malware on selected systems. This is due to the fact that to save time malware removal usually involves re-installing the operating system. More advanced users may choose to re-create the MBR/GPT, replace the boot sector and rebuild the BCD. Even more informed users may replace the hard disk to remove the malware. This new threat is significant since all of these steps would not remove it.

Eset researchers discovered that the LoJack anti-theft software which was installed compromised systems was being leveraged to start the attacker’s malware instead by using the Windows registry (defined) to load files with very similar names to that of the legitimate LoJack software. They also located a kernel (defined) driver (defined) being used to write the systems firmware when required. Since this tool was a legitimate tool; it has a valid digital signature. This is significant; otherwise the attacker’s tool would not have worked on a 64 bit Windows system. Should attempts to write to the firmware fail, the malware uses a 4 year old vulnerability CVE-2014-8273 (a race condition (defined)) to bypass the write lock.

Once the firmware has been updated it replaces the original LoJack software files with hijacked versions designed to enable further persistence on the compromised systems, namely a backdoor (defined).

How can I protect myself against this threat?
While it is less likely a threat of this sophistication will become widespread; the steps below will help to defend you against this and similar threats in the future. How this threat establishes an initial foothold on a system was inconclusive by Eset. However exercising caution on the links you click in emails, IMs and social networking should provide some form of prevention. Keeping your system up to date should also prevent a drive by download (defined). However I will detail more specific defensive steps below:

Eset determined that this threat can be prevented from affecting a system by enabling the Secure Boot hardware security feature (if your system has this feature available; most systems manufactured from 2012 onwards do). Any system with a certified Windows 8 or Windows 10 badge on the outside will have Secure Boot enabled with no action required from you. Secure Boot works even better when paired with Intel BootGuard (corporate users are more likely to use/enable this feature).

If the rootkit had affected the system described above it would have then refused to boot due to Secure Boot being enabled. It’s important to clarify that Secure Boot won’t prevent the infection/tampering but it will prevent that tampering from starting the system for use as normal.

Secure Boot was added to Windows 8.0 in 2012 to prevent unsigned components (e.g. rootkits) from affecting a system so early in the boot process that anti-malware software would be unable to detect or prevent that component from obtaining a privileged level of access over the system.


Keeping the UEFI firmware of your system up to date will assist with resolving known vulnerabilities within the firmware. Patching known firmware vulnerabilities makes your system less vulnerable to low level attacks such as this. Please only install UEFI firmware updates from your system vendor. Check the vendor’s website or contact them to determine if you need a UEFI firmware update and how to install it. If possible/available verify the checksum (defined) of the file you download matches the vendors provided checksum. I use the word available above since not all vendors provide checksums of the firmware updates they distribute which would allow you to verify them.

More recent Intel motherboards (defined) are not vulnerable to the race condition by Eset in their paper (more details available here). These modern chipsets feature a Platform Controller Hub (present in Intel’s Series 5 chipsets and later (available circa 2010 onwards).

If you know of a system affected with such a low level threat you may be able to update the UEFI firmware with a known safe version from the vendor but this is not guaranteed to work. Replacing the hardware will be a more reliable alternative.

Thank you.

SpectreRSB and NetSpectre Vulnerabilities Explained

In late July; security researchers publicly disclosed (defined) a new set of vulnerabilities within Intel CPUs (defined) (and possibly AMD and ARM; which the researchers also notified). These vulnerabilities are collectively referred to as SpectreRSB (Return Stack Buffer). The purpose of an RSB is explained in this document (PDF) but in summary it is a buffer (defined) that stores multiple return addresses while attempting to predict function (a set of instructions that carries out a specific action within a program) return addresses.

A very short time later nearing the end of July; a separate set of researchers released details of another vulnerability known as NetSpectre. This is an evict and reload cache attack that targets systems remotely to extract data.

How could an attacker exploit these vulnerabilities and what is the result?
For SpectreRSB; an attacker could recover data from the speculative execution feature of the CPU by targeting the Return Stack Buffer and predicting the return address which it stores. By manipulating the data it contains by predicting the return address the CPU will access when it completes a task the attacker can influence the address CPU will jump to and thus jump to an address of the attacker’s choosing. Unfortunately; this buffer is shared among the threads (defined) on the same virtual process thus affecting multiple running processes and virtual machines.

The attacker could alter the RSB to expose and gather data from applications running within the CPU. Another form of manipulation by the researchers resulted in them being able to expose data contained within Intel’s Software Guard Extensions (defined)(PDF).


Separately for the NetSpectre vulnerability; if attackers can send specifically crafted packets (defined) to a vulnerable system they can use the responses they receive to infer data from that systems memory. Currently this can only take place at a very low rate; 15 bits per hour. This means 15 times a zero or a one; in other words true or false (I’m not referring to Boolean logic here; just trying to convey a concept) or even simpler on for 1 and off for zero. This increased to 60 bits per hour for an Intel CPU equipped with AVX2 instructions.

With such a low throughput at this time (although I realise an attack can usually be refined and significantly improved within a short time); this attack is not a practical threat but more a theoretical weakness.

How can I protect myself from these vulnerabilities?
The good news for this SpectreRSB subclass of vulnerabilities is that Intel has already created an update but not for all of it’s CPU (Intel Core i7 Skylake (6th Generation Core models) and later CPUs). The researchers are aware of this patch and are recommending it’s use. When I use the word subclass above; my meaning is that SpectreRSB is a subclass of the original Spectre vulnerabilities from January this year. Red Hat also announced they are reviewing these vulnerabilities.

Intel however have stated that existing mitigations from the vulnerabilities disclosed in January will protect against this new subclass. However this is unconfirmed at this time.


While an APT (defined) could leverage the NetSpectre vulnerability over a period of weeks or months to extract useful data; existing mitigations for Spectre variant 1 and variant 2 mitigate this new vulnerability reinforcing my statement above of being a theoretical weakness.

In summary; to protect against both classes of these vulnerabilities; please continue to roll-out the mitigations for the Spectre vulnerabilities from January 2018 (if you have not already completed them).

For any system which cannot be updated (due to performance or end of life constraints e.g. Intel not providing updates for some CPUs); seek to migrate the responsibilities/roles/duties of these systems to newer CPUs which have received updates. A list of patched and un-patched Intel CPUs is available here (PDF).

Thank you.

Disclosed Microsoft Zero Day Under Attack By APT Group

Update: 8th November:
The Microsoft zero day vulnerability discussed in this post has now been patched. Please refer to this post for the appropriate information and download links.

Thank you.

Original Post:
Earlier this week Google publicly disclosed (defined) details of a new zero day (defined) vulnerability affecting supported versions of Windows up to Windows 10. Fortunately, the disclosure only included minimal details.

Why Should These Issues Be Considered Important?
The vulnerability disclosed by Google could result with an attacker being able to elevate their privileges (defined) on an affected system. However, when used in combination with a previously patched Adobe Flash Player vulnerability (reference previous post) this could result in a Windows system under your responsibility or in your ownership to have a backdoor (defined) installed.

Some good news is that this new exploit primarily targets organisations that operate in the following sectors (thus all other organisations are at somewhat reduced risk): government, intelligence or military organisations.

The nature of the backdoor is the decision of the attacker but would usually include a means of remaining persistent on the system and allowing the attacker to remote access the infected system. This backdoor can then be used to move data of the attacker’s choice off the affected system. The APT group known as STRONTIUM by Microsoft (other aliases used in the wider cyber security industry are APT28, also aka Sofacy aka Fancy Bear aka TsarTeam aka Sednit aka PawnStorm). STRONTIUM is also known for moving laterally throughout the network which they compromise (where the pass the hash (PtH) (defined) technique is the method of choice to do so).

How Can I Protect Myself From This Issue?
While a patch from Microsoft is in progress (scheduled for release on the 8th of November): follow safe email guidelines namely don’t click on unexpected/unsolicited links or open potentially dangerous email attachments to prevent the execution (carrying out of) the exploits actions in the first instance.

If you use the Microsoft Edge or Google Chrome web browsers the exploit for the local elevation of privilege vulnerability will be mitigated. This is due to Chrome’s sandbox (defined) blocking the use of API (defined) calls to the win32k.sys driver (defined). This in addition to its existing mitigations when installed on Windows 10 which I previously discussed.

Microsoft Edge on the other hand implements Code Integrity to prevent the next steps of exploitation.

To protect endpoints within your organisation you could consider utilising the logging capabilities of Microsoft EMET and Systinternals’ Sysmon by processing their logs using a SIEM (defined) and taking action when that SIEM a alerts you to suspicion activity. This is especially true since this exploit can occur from within web browsers, the Java JRE, Microsoft Word and Microsoft PowerPoint (namely that these applications are used to open suspicious/untrusted files).

My thanks to a colleague (you know who you are!) for compiling very useful information for this blog post.

Thank you.

June 2016 Security Updates Summary

Yesterday Microsoft released their scheduled monthly security updates.

Microsoft’s updates consist of 16 security bulletins (not yet included is the upcoming Adobe Flash Player update (more details below)). These bulletins resolve 44 vulnerabilities more formally known as CVEs (defined).

One helpful point to note that should make deploying these updates easier is that Microsoft’s Security Bulletin Summary doesn’t list any Known Issues at this time. However please double check the IT Pro Patch Tuesday blog to ensure that there are no issues being experienced before you begin installing the new updates.

As briefly discussed above one of Microsoft’s bulletins relates to Adobe’s Flash Player update; however, that update will be made available later this week (scheduled to arrive on the 16th of June) according to Adobe). Similar to last month this update will resolve a zero day (defined) vulnerability that is currently being exploited. I will update this post when more information becomes available.

Update: 17th June 2016:
As scheduled Adobe released an updated version of Flash Player to address the zero-day vulnerability currently being used by an APT (Advanced Persistent Threat) (defined) group to attack systems belonging high profile targets.

This update also addresses 35 other critical CVEs. For Google Chrome, I have confirmed that version 51.0.2704.103 released yesterday contains the appropriate updated version of Flash Player.

For Windows 8.1 and later Microsoft have released a security bulletin MS16-083 (which is not yet listed on their security bulletin page at the time of writing). It includes the same fixes within the above mentioned Adobe bulletin.

Depending on which version of Flash Player you have, please review the Adobe security bulletin or Microsoft bulletin as appropriate and apply the recommended updates. Google Chrome users will have the updated installed automatically alongside the updated version of Chrome. Further discussion of this update is available in this blog post.

Adobe also released a security bulletin for Adobe AIR (its application runtime) to address a priority 3 vulnerability in the AIR installer. More information as well as installation steps are available in the relevant security bulletin.

If I can clarify any of the above update installation steps, please let me know. I am always more than happy to assist.

Thank you.

Adobe did however have make available four security bulletins yesterday that address vulnerabilities in Adobe DNG SDK (1 CVE addressed), Adobe Brackets (2 CVEs addressed), Adobe Creative Cloud Desktop (2 CVEs addressed ) and ColdFusion (1 CVE addressed of higher priority than all others). If you use any of these products, please review the security bulletins linked to above and apply the necessary updates.

You can monitor the availability of security updates for the majority of your software from the following websites (among others) or use Secunia PSI:

US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):


A further useful source of update related information is the Calendar of Updates.

News/announcements of updates in the categories of General Software, Security Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by making a donation.
If you use any of the above software, please install the appropriate updates as soon as possible. Steps for installing updates for Windows are provided on the “Protecting Your PC” page.

To assist with making the best use of your time when deploying these updates, I will prioritise the updates for you below:

Please make the Update for DNS Server your first priority since it is not only of critical severity but DNS (defined) is a business critical service used by business of all sizes making it a higher risk. Follow this with Microsoft Office, Microsoft Internet Explorer, Microsoft Edge and Microsoft Jscript and VBScript due to their severities and prevalent use. All remaining security updates can be installed when time allows.

Another security pre-caution that you may wish to take if you have Microsoft EMET (please ensure your version of EMET is the most recent version 5.5) installed is to use it to protect you from Adobe Flash being used to exploit vulnerabilities when you open a Microsoft Office document or Adobe PDF file. I provide recommendations of how to do this at the end of the July 2015 Update Summary.

As always as a routine precaution I would recommend backing up the data on any device for which you are installing updates in order to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

Apologies for not posting new content in such a long time. With other commitments that needed my attention as well as resolving the hardware failure issue 2 weeks ago (that I mentioned previously) led to this delay. I will post more content soon. Thank you for your understanding.

Adobe Releases Out of Band Security Update For Flash Player

Yesterday evening, Adobe published a security bulletin to announce the availability of a security update for it’s widely used Flash Player web browser plugin. The term “out of band” refers to the fact that this update was not issued according to Adobe’s usual schedule of issuing updates on the second Tuesday of the month.

This update resolves 1 high severity CVE which is currently being exploited by an Advanced Persistent Threat (APT) Group known as APT3. Such an exploit for a flaw that is exploited before it was patched by the vendor is known as a zero day vulnerability. The purpose of the malware being used in this attack is to gain as much access with a corporate network as possible and to install backdoors within those compromised systems (most likely for either further intelligence gathering or intellectual property theft).

The attack begins by the intended victims receiving phishing emails (interestingly these emails are more widespread in nature rather than targeted/customized spear phishing messages). The intended victims are based in large companies that work in varying industries e.g. transport, construction and aerospace (among others). Upon clicking the intended link within the messages, the victim is re-directed to a malicious website where they are profiled (in order to determine which exploit/attack to use to compromise the device visiting the site). A malicious Adobe Flash Player SWF (Small Web Format, formally Shockwave Flash) file and an FLV (Flash video) file are downloaded and are then used to deliver malware to the victim’s device (by exploiting the flaw Adobe has just patched). Full technical details including:

  • How it bypasses operating system defences
  • How the malware un-packs/de-obfuscates itself
  • How it exploits a vulnerable version of Flash Player are provided by FireEye in this blog post.

Other points of interest for this exploit are that its payload is xor (Exclusive OR) encoded and packed using and packed using RC4 encryption. Since a custom encryption scheme was not used it may imply this exploit was developed quickly or the attackers were already confident of success/stealth and thus a more complex encryption scheme to disguise the malware was deemed unnecessary.

Flash Player updates for Linux, Apple Mac OS X and Windows are available from this link (which can be used if you don’t have automatic updating enabled or simply wish to install the update as soon as possible). Users of Google Chrome and Internet Explorer 10 and 11 (installed on Windows 8.0 and 8.1) should receive updates very soon. Google may issue a component update simply to update Flash Player since it has just updated Chrome for security reasons earlier this week. Microsoft has announced the availability of their Flash update by updating this security advisory.

Update: 29th June 2015: According to the well-known malware researcher Kafeine, the Magnitude Exploit kit is now exploiting the flaw that Adobe patched just 4 days ago to install Cryptowall ransomware on the Windows devices that it compromises.

I would recommend that everyone who uses Adobe Flash Player to apply the appropriate updates as soon as possible in order to avoid this exploit affecting your devices.

Thank you.